Server error : Partial commit is not allowed. Full commit must be completed.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Server error : Partial commit is not allowed. Full commit must be completed.

L1 Bithead

Palo version:

vm-license: VM-100
vm-mode: VMWare ESXi
sw-version: 8.0.4

 

I am trying to do a partial commit after a change on policy rules.

The following commands usually work. But for some reason, I ended in a state where partial commit/validate is not allowed:

 

admin@CST-OCBFW-INT01(active)# validate partial device-and-network excluded

Server error : Partial validate is not allowed. Full commit must be completed.

[edit]                                                                                                                                             
admin@CST-OCBFW-INT01(active)# commit partial device-and-network excluded

Server error : Partial commit is not allowed. Full commit must be completed.

[edit]  

 

The candidate config only has changes on security/rules which is part of the "policy-and-objects" config AFAIK.

What can be the cause of this state?

Can it be fixed so that I can issue a partial commit and avoid doing a seemingly useless full commit? Or does it mandatorily requires a full commit?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@hgiguelay,

Generally this would only appear if a security policy references something that falls within the device-and-network, as you are attempting to exclude that it wouldn't be able to validate or commit the config. 

1) Verify nothing you have configured actually relies on anything within the device-and-network config

2) Something got loopy and you just need to do an actual full commit instead of a partial. 

 

 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@hgiguelay,

Generally this would only appear if a security policy references something that falls within the device-and-network, as you are attempting to exclude that it wouldn't be able to validate or commit the config. 

1) Verify nothing you have configured actually relies on anything within the device-and-network config

2) Something got loopy and you just need to do an actual full commit instead of a partial. 

 

 

L7 Applicator

Or another admin changed something?

But I also think it's @BPrys possibility 2 (if you didn't create an EDL reachable over https, so that it requires a certificate profile; or a new log forwarding profile and you created the required serverprofile at the same time; and probably more possibilities ...)

 

 

Thanx for your help!

 

I don't exactly remember what I did to reach this state, but I checked that only security/rules were changed in the GUI "commit/preview changes" and in the CLI:

 

 

root@cst-ocbvpn-int01:/# diff -u <(panxapi.py -xrs) <(panxapi.py -Xro 'show config candidate')
show: success
op: success
--- /dev/fd/63    2017-08-21 14:38:12.174880000 +0000
+++ /dev/fd/62    2017-08-21 14:38:12.174880000 +0000
@@ -1759,89 +1759,109 @@
             <security>
               <rules>
                 <entry name="tpl_deny_paloappdefault">
+                  <action>deny</action>
+                  <application>
+                    <member>any</member>
...
+                  </destination>
+                  <rule-type>interzone</rule-type>
                 </entry>
               </rules>
             </security>

 

 

So in the current state, I only have changes in "policy-and-objects".

Of course many of those policy changes "point" to device-and-config "objects" (log-forwarding, services, etc), but there are no changes in device-and-config in the diff.

 

Maybe I did some changes on device-and-config that made the Palo "flag" the next commit has needing to be full, and then reverted those changes prior to the commit.

 

Anyway, I'll try and reproduce and better track what were my actions.

  • 1 accepted solution
  • 8879 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!